ICO says companies are responsible for customer data in the cloud

Onus of responsibility falls on companies, not cloud network providers

Companies that pass customers' personal data to cloud network providers remain responsible for how that data is treated, the Information Commissioner’s Office (ICO) has confirmed.

Cloud computing is becoming an increasingly attractive option for companies, thanks to the economies of scale it offers and the access it provides to a range of computer technologies and expertise that would be difficult to afford in-house.

However, the ICO has raised concern that many businesses do not realise they remain responsible for how data is looked after, even after passing it to the cloud network provider.

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility,” said ICO technology policy advisor Dr Simon Rice.

“Figures show that consumers are concerned about how secure their data is when they use cloud storage themselves. It takes little imagination to consider that businesses not reflecting those concerns will quickly find themselves losing customers’ good will.”

The guide offers tips on how to make sure data will be kept safe, and reminders to check the physical security of the cloud provider and have a written contract in place.

It also suggests putting a policy in place to make clear what is expected of the cloud provider, and provides legal information about transferring data internationally.

Commenting on the news, Paul Ayers, VP EMEA of data security expert Vormetric, said the guidelines serve as a timely reminder of the full extent of organisations’ data protection responsibilities and the dangers that can ensue if they are not managed appropriately.

“Some 'wishful thinking' enterprises believe that leveraging the cloud allows them to wash their hands of the need to secure their data. That is not the case. Companies still need to be able to establish where their data is held and define what data protection policies are in place,” he said.

The news comes as the European Commission announces a new strategy to speed up and increase the use of cloud computing, with the aim of creating 2.5 million new jobs and boosting GDP by €160 billion (£127bn) by 2020.

The EC believes that establishing common standards and clear contracts for the delivery of cloud services will boost the chances for European cloud providers to grow to achieve a competitive scale.